ForeFront Client Security

Hello

I am running WSUS 3.0 sp1 on Windows 2008. Currently we are using WSUS to
push patches out to all of our servers, and we are using group policy to
deploy patches. The GPO is set to 3 "auto download and notify for install"
We manually go into WSUS and approve the patches that we want the servers to
get by approving them for a particular group. In WSUS we seperate servers
into group and these groups match the OU name the servers are in. We now
have installed Forefront client security and the servers will be getting the
client from WSUS. When i force the server to check in with the WSUS server
to force the FFC install the server will notify the admin on the box that an
update is available for install, and this is the problem i am running into.
We have 800 servers, and it would take months if admins had to manually log
onto the server and manually install the FFC, i know i can automatically
approve updates, and i have, but this setting doesnt automatically install
the FFC, it only automatically installes the updates for the client.

How can i get the main FFC to be automatically installed, and at the same
time all other security and critical updates need to be manually approved in
WSUS and the server notifys the admin for install? I cant create multiple
GPO's one gpo is set to 3 and is meant for manual approval in WSUS, and
another GPO is set to 4, because in WSUS as far as i know machines cant be
members of multiple groups.

Thanks for any help on this

"Sawyer" <> wrote in message
news:B29CD704-19EA-4C64-908F-...

> When i force the server to check in with the WSUS server to force the FFC
> install the server will notify the admin on the box that an update is
> available for install, and this is the problem i am running into. We have
> 800 servers, and it would take months if admins had to manually log onto
> the server and manually install the FFC, i know i can automatically
> approve updates, and i have, but this setting doesnt automatically install
> the FFC, it only automatically installes the updates for the client.

> How can i get the main FFC to be automatically installed, and at the same
> time all other security and critical updates need to be manually approved
> in WSUS and the server notifys the admin for install?

Set an *expired* deadline on the Forefront Client package, and the Forefront
Client will be installed immediately upon detection (be careful about
required system restarts).

> because in WSUS as far as i know machines cant be members of multiple
> groups.

Actually they *can* be members of multiple WSUS target groups, but multiple
group memberships won't solve this problem. The machine can still only have
one composite policy configuration applied, and only one AUOptions value
active -- so your conclusion is valid, even though your reasoning is
incorrect.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Briliant recomendation this should do the trick. As far as i know the FFC
doesnt require a restart even when automatically installed, so i should be
ok with this, but i will have to test this out in a lab to make sure. Thanks
again!
"Lawrence Garvin [MVP]" <> wrote in message
news:...
> "Sawyer" <> wrote in message
> news:B29CD704-19EA-4C64-908F-...
>
>> When i force the server to check in with the WSUS server to force the FFC
>> install the server will notify the admin on the box that an update is
>> available for install, and this is the problem i am running into. We have
>> 800 servers, and it would take months if admins had to manually log onto
>> the server and manually install the FFC, i know i can automatically
>> approve updates, and i have, but this setting doesnt automatically
>> install the FFC, it only automatically installes the updates for the
>> client.
>
>> How can i get the main FFC to be automatically installed, and at the same
>> time all other security and critical updates need to be manually approved
>> in WSUS and the server notifys the admin for install?
>
> Set an *expired* deadline on the Forefront Client package, and the
> Forefront Client will be installed immediately upon detection (be careful
> about required system restarts).
>
>> because in WSUS as far as i know machines cant be members of multiple
>> groups.
>
> Actually they *can* be members of multiple WSUS target groups, but
> multiple group memberships won't solve this problem. The machine can still
> only have one composite policy configuration applied, and only one
> AUOptions value active -- so your conclusion is valid, even though your
> reasoning is incorrect.
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>